pupmod-simp-ntpd

Table of Contents

• Description
• Setup
  • What ntpd affects
• Usage
• Reference
• Limitations
• Development

Description

Set up ntpd in either standalone or server mode.

Setup

What ntpd affects

Manages the following:

• ntp package
• ntp user/group
• ntpd service
• These files and directories:
  • /etc/ntp.conf
  • /etc/ntp/
  • /etc/ntp/keys
  • /etc/sysconfig/ntpd
  • /var/lib/ntp

Usage

class { 'ntpd': }

Reference

See the Reference Documentation for full details

Limitations

SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux and compatible distributions, such as CentOS. Please see the metadata.json file for the most up-to-date list of supported operating systems, Puppet versions, and module dependencies.

Development

Please read our Contribution Guide.

If you find any issues, they can be submitted to our JIRA.

Reference

Table of Contents

Classes

• ntpd: Set up ntpd in either standalone or server mode
• ntpd::ntpdate: Manage the setup of ntpdate

Defined types

• ntpd::allow: Allow access to this server from a particular address or netmask

Classes

ntpd

Set up ntpd in either standalone or server mode

• See also ntp.conf(5)

Parameters

The following parameters are available in the ntpd class.

ntpd_options

Data type: String[1]

Options for the ntp daemon, put into /etc/sysconfig/ntpd

servers

Data type: Ntpd::Servers

An array of servers or a Hash of server/option pairs providing details for the NTP servers that this system should synchronize with

• Example

  servers => {
    'time.local.net' => ['iburst','minpoll 4', 'prefer'],
    # This one will just use $default_options
    'time.other.net' => []
  }
  

Default value: simplib::lookup('simp_options::ntpd::servers', { 'default_value' => {} })

stratum

Data type: Integer[0]

The stratum for this system

• This only comes into play if no external servers are defined and the stratum has to be fudged

Default value: 2

logconfig

Data type: Array[String[1]]

A list of options for refining the system log output

Default value: ['=syncall','+clockall']

broadcastdelay

Data type: Numeric

Default calibration delay

Default value: 0.004

default_options

Data type: Array[String[1]]

The default options that will be added to all servers

• Set to an empty array to disable

Default value: ['minpoll 4','maxpoll 4','iburst']

default_restrict

Data type: Array[Ntpd::Restrict]

The default IPv4 restrict options

Default value: ['kod', 'nomodify', 'notrap', 'nopeer', 'noquery']

default_restrict6

Data type: Array[Ntpd::Restrict]

The default IPv6 restrict options

Default value: $default_restrict

admin_hosts

Data type: Array[Simplib::IP::V4]

Hosts that are allowed unrestricted access via IPv4

Default value: ['127.0.0.1']

admin_hosts6

Data type: Array[Simplib::IP::V6]

Hosts that are allowed unrestricted access via IPv6

Default value: ['::1']

discard

Data type: Optional[Ntpd::Discard]

An optional has that can be used to set the average,minimum and monitor options for discard

Default value: undef

disable_monitor

Data type: Boolean

Disable the monitoring facility to prevent amplification attacks using ntpdc monlist command when default restrict does not include the noquery flag

• See CVE-2013-5211 for details

Default value: true

manage_ntpdate

Data type: Boolean

Manage ntpdate settings

Default value: true

trusted_nets

Data type: Optional[Simplib::Netlist]

Setting this to an Array of networks/hostnames that you trust for communication will enable a default ntpd::alow entry so that remote systems can query this system for time.

Default value: undef

default_restrict_rules

Data type: Optional[Array[Ntpd::Restrict]]

Set to an Array of restrict rules of your choosing

• Has no effect if $trusted_nets is not set

Default value: undef

firewall

Data type: Boolean

Enable management of the firewall in relation to inbound communication

• Has no effect if $trusted_nets is not set

Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false})

ntpdate_servers

Data type: Ntpd::Servers

NTP servers that are used in the ntpdate script at startup

Default value: $servers

ntpdate_sync_hwclock

Data type: Boolean

Set to true to sync hw clock after successful ntpdate. Set in /etc/sysconfig/ntpdate

Default value: true

ntpdate_retry

Data type: Integer[0]

Number of retries before giving up. Set in /etc/sysconfig/ntpdate

Default value: 2

ntpdate_options

Data type: Optional[String[1]]

Options for ntpdate. Set in /etc/sysconfig/ntpdate

Default value: undef

auditd

Data type: Boolean

Enable auditd monitoring of the ntp configuration files

• This probably isn't needed in most cases since Puppet controls these files, but some systems require it

Default value: simplib::lookup('simp_options::auditd', { 'default_value' => false})

package_ensure

Data type: String

ensure parameter for the ntp package

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

extra_content

Data type: Optional[String[1]]

An unvalidated String that will be appended to the configuration file

Default value: undef

config_content

Data type: Optional[String[1]]

The entire content of the configuration file. ALL OTHER ntpd CONFIGURATION OPTIONS WILL BE IGNORED.

• NOTE: Calls to ntpd::allow will still add restrict lines to the configuration.

Default value: undef

ntpd::ntpdate

Manage the setup of ntpdate

Defined types

ntpd::allow

Allow access to this server from a particular address or netmask

Parameters

The following parameters are available in the ntpd::allow defined type.

rules

Data type: Optional[Variant[ String[1],Array[Ntpd::Restrict] ]]

A standard ntpd.conf restrict rule (notrust, etc...)

Default value: undef

trusted_nets

Data type: Simplib::Netlist

Networks and Hosts to allow

Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1', '::1'] })

firewall

Data type: Boolean

If enabled, allow connections from trusted_nets

Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false})

• Mon Jun 24 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.4.0-0

• Drop Puppet 4 support
• Add ability for users to enable a default server capability directly from Hiera
• Fix minor typos in some templates
• Add REFERENCE.md

• Tue Mar 19 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.3.1-0

• Use simplib::nets2ddq in lieu of deprecated Puppet 3 nets2ddq

• Wed Mar 06 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.3.0-0

• Validated Puppet 6 support
• Ensure that users can change the default 'restrict' parameters
• Allow users to add arbitrary extra content to the ntpd.conf
• Allow users to define the entire ntpd.conf content

• Mon Mar 04 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.3.0-0

• Expanded the upper limit of the concat and stdlib Puppet module versions
• Updated a URL in the README.md

• Wed Nov 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.2.1-0

• Update badges in README.md

• Mon Sep 24 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.0-0

• Removed nodeset symlink

• Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.2.0-0

• Update Hiera 4 to Hiera 5

• Mon Aug 27 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.1.1-0

• Fixed bug in which ntpd::ntpd_options was not applied to ntpd::servers when ntpd::servers is an array.

• Fri Jul 13 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.1-0

• Add support for Puppet 5 and OEL

• Fri Jun 15 2018 Nick Miller nick.miller@onyxpoint.com - 6.1.1-0

• Update version range of auditd dependency in metadata.json
• Removed unneeded fixtures

• Thu Mar 08 2018 Nick Miller nick.miller@onyxpoint.com - 6.1.0-0

• Manage ntpdate via ntpd::ntpdate
  • Manage /etc/ntp/step-tickers
  • Manage /etc/sysconfig/ntpdate
    • New params ntpdate_sync_hwclock, ntpdate_retrym and ntpdate_options should cover all options from RedHat
    • SYNC_HWCLOCK=yes is now set here instead of /etc/sysconfig/ntp
• Add $package_ensure parameter to control the ntp package version
• Move some multiline strings into variables (style recommendation)
• The module now only requires one puppet run to apply completely
• Added essential-level acceptance test

• Fri Feb 09 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.1.0-0

• Update upperbound on puppetlabs/concat version to < 5.0.0

• Wed Nov 22 2017 Steven Pritchard steven.pritchard@onyxpoint.com - 6.1.0-0

• Documentation updates

• Fri Aug 18 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.3-0

• Update concat version in metadata.json

• Thu Jul 06 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.2-0

• Update puppet dependency in metadata.json

• Tue Mar 28 2017 Nick Miller nick.miller@onyxpoint.com - 6.0.1-0

• ntpd::servers now pulls from simp_options as expected

• Fri Dec 16 2016 Jeanne Greulich jgreulich.simp@onyxpoint.com - 6.0.0-0

• Update Global Catalysts
• Strongly type parameters
• Remove trailing spaces

• Wed Nov 23 2016 Jeanne Greulich jgreulich.simp@onyxpoint.com - 5.0.0-0

• update requirement versions

• Mon Nov 21 2016 SIMP-Team https://groups.google.com/forum/#!forum/simp - 5.0.0-0

• Updated module for compliance markup API v1.0.0 compatibility.

• Tue Nov 15 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.0-0

• Updated iptables dependency version

• Fri Sep 30 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0

• Updated to use the version of 'simpcat' that does not conflict with 'puppetlabs/concat'.

• Tue Feb 23 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.1.0-10

• Added compliance function support

• Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-9

• migration to simplib and simpcat (lib/ only)

• Mon Jul 27 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8

• Updated the default restrict options to be more restrictive.
• Ref: https://access.redhat.com/articles/1305723

• Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-7

• Migrated to the new 'simp' environment.

• Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-6

• Changed puppet-server requirement to puppet

• Wed Dec 17 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-5

• NTP allow files should use DDQ format for restict entries.

• Tue Oct 07 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-4

• Removed /etc/ntp/ntpservers and added the logic into the main ntp configuration file.
• Removed /etc/ntp/step-tickers management

• Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-3

• Removed MD5 file checksums for FIPS compliance.

• Fri Jun 20 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3

• Added support for 'disable_monitor' to fix CVE-2013-5211.

• Thu Jun 12 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-2

• Ntp servers can now be passed in as an array of server names or a hash of server => 'option' pairs.

• Sat Apr 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-1

• Restructured the entire ntpd module.
• Added spec tests.

• Sat Feb 15 2014 Kendall Moore kmoore@keywcorp.com 4.1.0-0

• Converted all string booleans to native booleans.

• Tue Jan 28 2014 Kendall Moore kmoore@keywcorp.com 4.0.0-5

• Update to remove warnings about IPTables not being detected. This is a nuisance when allowing other applications to manage iptables legitimately.

• Mon Oct 07 2013 Kendall Moore kmoore@keywcorp.com 4.0.0-4

• Updated all erb templates to properly scope variables.

• Thu Jun 07 2012 Maintenance 4.0.0-3

• Ensure that Arrays in templates are flattened.
• Call facts as instance variables.
• Moved mit-tests to /usr/share/simp...
• Updated pp files to better meet Puppet's recommended style guide.

• Fri Mar 02 2012 Maintenance 4.0.0-2

• Improved test stubs.

• Mon Dec 26 2011 Maintenance 4.0.0-1

• Updated the spec file to not require a separate file list.
• Scoped all of the top level variables.

• Mon Nov 07 2011 Maintenance 4.0.0-0

• Fixed call to rsyslog restart for RHEL6.

• Tue Aug 23 2011 Maintenance - 2.0.0-2

• Updated to set $address = nil by default in ntpd::server::allow.

• Thu May 12 2011 Maintenance - 2.0.0-1

• Updated ntp configuration to properly set /etc/ntp/ntpservers as well as the ability to set server options.
• Changed all instances of defined(Class['foo']) to defined('foo') per the directions from the Puppet mailing list.
• Updated to use concat_build and concat_fragment types.

• Tue Jan 11 2011 Maintenance 2.0.0-0

• Refactored for SIMP-2.0.0-alpha release

• Fri Dec 10 2010 Maintenance - 1-3

• Ensure that the local stratus is set to 20 instead of 10.
• Added a 'networks' option to ntpd::server::allow that can take an array of DDQ entries to set the various servers.
• Added the ability to configure a standalone NTP server and properly spoof the stratum advertised. See the ntpd::stock space for example functional usage.

• Tue Oct 26 2010 Maintenance - 1-2

• Converting all spec files to check for directories prior to copy.

• Wed Jun 30 2010 Maintenance 1.0-1

• Fixed a problem in ntp.allow.erb where the 'mask' value was not being set properly.

• Fri May 21 2010 Maintenance 1.0-0

• Code refactor and doc update.

• Tue Nov 24 2009 Maintenance 0.1-10

• ntpd::server now allows an array of client networks.